[ntp:questions] Legitimate Source Ports for NTP traffic?

Steven Sommars stevesommarsntp at gmail.com
Thu Nov 29 00:14:15 UTC 2018

I looked at a sample of NTP queries sent to a busy European server. Many
queries had precision of -6, few were -7.

UDP source ports ranged from 1 to 65535. The most common UDP source ports
were 123, 1026, 1027, 1028, 1025.
A NIST paper, https://tf.nist.gov/general/pdf/2818.pdf , may be of
interest.  The UDP source port distribution shown in figure 5a is similar
to my observations.

On Wed, Nov 28, 2018 at 1:53 AM Miroslav Lichvar <mlichvar at redhat.com>

> On Tue, Nov 20, 2018 at 11:19:24AM -0600, Jason Rabel wrote:
> > In response to my own question I looked a little deeper into the odd
> > traffic using tcpdump. Best I can tell they are indeed properly
> > formatted NTP requests, the curious bit is seeing most of these
> > requests having a precision of -6 or -7. While I know some older MS OS
> > set their internal time update to around that, they also use the
> > microsoft time servers by default.
> Precision of -6 seems to be common. It's used by ntpdate for example.
> Not sure about -7.
> I suspect the number one reason for getting requests from privileged
> ports different than 123 is NAT. If there are two NTP clients behind
> NAT using port 123, one of them will have to get a different port.
> --
> Miroslav Lichvar
> _______________________________________________
> questions mailing list
> questions at lists.ntp.org
> http://lists.ntp.org/listinfo/questions

More information about the questions mailing list